CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University
Center for Education and Research in Information Assurance and Security

Widespread Misuse of AES-GCM: How Password Length Leakage Helps Mallory Crack Bob’s Password

Principal Investigator: John Springer

We report on an observational study of network
traffic involving protocols that use the popular AES-GCM cipher,
i.e., TLS v 1.2–1.3 and QUIC. Our observational study reveals
widespread misuse of the AES-GCM cipher in the wild. The RFC
for TLS 1.2 advises developers to pad data whenever plaintext
length might be considered sensitive since this length can be
inferred directly from an AES-GCM ciphertext (e.g., passwords,
counter-surveillance, VPNs). By contrast, our observational study
reveals many high profile examples (e.g., Google Mail, Chase
Bank, Cisco VPN) where plaintext-length is clearly sensitive and
can be inferred from encrypted network traffic. For example, we
found that an attacker could automatically infer a Google Mail
(resp. Chase Bank) user’s password length from encrypted QUIC
traffic (resp. TLS v1.2 traffic). We then describe an economic
analysis of such leakage. Our analysis indicates that knowledge
of a target user’s password length can have significant value to
an online password attacker who can dramatically increase his
success rate by eliminating passwords with the wrong length from
his dictionary. Finally, we propose a patch that organizations such
as Google and Chase could adopt to eliminate password length


Other PIs: Jeremiah Blocki Rob Morton Ben Harsha Melissa Dark